From c336c490de46914e58f57e92b3b94e2a4f126c53 Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Mon, 30 Jun 2025 10:19:05 +0000 Subject: [PATCH] feat(threat-hunting): DonPAPI detection --- source/threat-hunting/index.md | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md index cb3d2f5..7cd3ddf 100644 --- a/source/threat-hunting/index.md +++ b/source/threat-hunting/index.md @@ -496,13 +496,13 @@ SPL: | table Time, host, EventCode, EventDescription, service_name, process, index ``` -## Credential Manager Dump +## Credential Manager/SAM Dump -References: [1](https://redcanary.com/blog/credential-access/), [2](https://gist.github.com/JohnLaTwC/3e7dd4cd8520467df179e93fb44a434e) +References: [1](https://redcanary.com/blog/credential-access/), [2](https://gist.github.com/JohnLaTwC/3e7dd4cd8520467df179e93fb44a434e), [DonPAPI](https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/) SPL: ```spl -| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 (Processes.process_name="rundll32.exe" Processes.process IN ("*keymdr.dll*", "*krshowkeymgr*")) OR (Processes.process_name="credwiz.exe" Processes.process="*.crd*") OR (Processes.process_name="vaultcmd.exe" Processes.process="*/list*") BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s +| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 (Processes.process_name="rundll32.exe" Processes.process IN ("*keymdr.dll*", "*krshowkeymgr*")) OR (Processes.process_name="credwiz.exe" Processes.process="*.crd*") OR (Processes.process_name="vaultcmd.exe" Processes.process="*/list*") OR Processes.process IN ("*donpapi*", "*dpp*") OR (Processes.process_name="reg.exe" Processes.process IN ("c:\\windows\\system32\\reg.exe*save*", "c:\\windows\\system32\\reg.exe*export*") Processes.process IN ("c:\\windows\\system32\\reg.exe*sam*", "c:\\windows\\system32\\reg.exe*security*", "c:\\windows\\system32\\reg.exe*system*")) BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s | rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z") | lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email @@ -1416,19 +1416,6 @@ SPL: | table Time, host, TaskName, command, EventCode, EventDescription, user, TaskAttributes ``` -## SAM Credential Dump - -References: [1](https://redcanary.com/blog/credential-access/) -SPL: - -```spl -| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="reg.exe" Processes.process IN ("c:\\windows\\system32\\reg.exe*save*", "c:\\windows\\system32\\reg.exe*export*") Processes.process IN ("c:\\windows\\system32\\reg.exe*sam*", "c:\\windows\\system32\\reg.exe*security*", "c:\\windows\\system32\\reg.exe*system*") BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s -| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription -| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S %z") -| lookup ad_users sAMAccountName AS user OUTPUT displayName AS Name, mail AS Email -| table Time, index, host, EventCode, EventDescription, process, user, Name, Email -``` - ## SIDHistory compromise Description: Malicious actors may add a value to the 'sIDHistory' attribute of a user object they control to establish persistence. "%%1793" occurs when SidHistory value is cleared